Andy, ITGuy

Farewell Blogger

2009-01-11T23:27:00.002-05:00

After 2 1/2 years of blogging here at blogger.com I've decided to move on. I finally registered www.andyitguy.com and have moved my blog there. The Security Bloggers Network has already started publishing that feed and soon Feedburner will also. Hopefully you won't have to do anything different to receive the new feeds. Cross your fingers.

I'll try to post a reminder here over the next couple of days. Hope to see you at www.andyitguy.com!

Security Economics

2009-01-08T21:47:00.002-05:00

In tough economic times we all have to watch where we spend money and how we spend it. We can’t let bad financial times or the threat of what may happen keep us from spending what we need to spend to ensure that our data is secure. We can’t be stupid and spend just for the sake of spending, but we also can’t not spend just to save money. Sometimes money has to be spent now to keep from spending more later.

I remember several years ago there was a commercial for Pennzoil with Arnold Palmer. The key line was “You can pay now or you can pay later”. It was in reference to spending a little now to change your oil regularly or pay a lot later when you have to have major repairs. I also saw something today that made me think about this. There is a water line break in Atlanta near my office. It’s been there for about 2 or 3 weeks. You can see where the water is seeping through the asphalt and it’s creating a nice little river flowing down a side road. Of course it’s frozen a time or two and probably will tonight since it’s supposed to get down to the upper 20’s tonight. I assume that it’s not being fixed because of the budget crunch that the city of Atlanta is in but the problem is that soon it’s going to cause a sink hole and cost a lot more to repair. Not to mention it’s going to create a traffic nightmare at a busy intersection and possibly cause injury to someone if they happen to be driving over that spot when it decides to collapse. So in an effort to save a couple of thousand dollars the city will probably end up spending 30 or 40 thousand, wasting lots of water and possible cause someone to get hurt. Of course if that happens then there will be a multi million dollar law suit.

Now that we are in a new year and are looking forward to what we will be able to do and those things that we won’t be able to do we have to plan on selling the really important things more than ever. We need to start now in building our case to management on why we can’t delay certain things. We also need to be prepared to go to them with our list of “sacrificial lambs”. Things that we had planned on doing but are not as important as the “gotta haves”. By doing this we show them a couple of things. One, that what we are keeping is really important and two, that we are willing to make sacrifices in order to get the really necessary things.

Atlanta NAISG Meeting #2

2009-01-07T10:35:00.004-05:00

We took December off but we're back and ready to roll. Our next meeting will be Wednesday Jan 14, 2009 at 7:00. We're meeting at the MARTA headquarters building in Buckhead at 2424 Piedmont Rd, Atlanta, GA 30324. It's at the intersection of Piedmont Rd. and Morosgo Dr. across from the twin AT&T towers. This is the location of the Lindburgh Station. The meeting will be held in the Bid Room on the first floor. You will have to sign in at the security desk.

View Larger Map

The talk will be given by Renault Ross of Symantec (no sales just knowledge sharing). He will be speaking on End Point Security and NAC. Pizza and drinks will be provided so come hungry.

We're still young and are looking to grow so make plans to join us. Feel free to invite your friends and pass the word along to others. We will be giving away a couple of door prizes as well. If you know that you will be attending please email me (andy.itguy at yahoo dot com) and let me know so we can get a general count for ordering pizza.

More on Failure of Investment

2009-01-05T07:58:00.005-05:00

My buddy Jack Daniel pointed us to a new blogger that is worth following. As I was looking through some of his post I ran across one entitled "Failure of Investment". Of course that caught my eye because of the conversations that myself, Jack Daniel (here and here) and a few others had on this topic back in September of last year.

Tim's post got me to thinking again about FOI. I had intended to expand on the concept more last year, but as you (hopefully) noticed my blogging fell off drastically the last few months of the year due to life getting in the way. Now that a new year is here and I'm hoping to get back into regular blogging and what better topic than FOI to start with.

What I want to talk about today is defining FOI at a more granular level.
Failure is measured differently for different technologies. You can't define failure the same for a firewall as you would a host based Anti-virus program. They are different technologies and have to be measured differently. If can even be argued that within the same technology there are different tolerance levels for failure. An AV program that lets a virus through to a workstation that has very limited network access isn't as serious as one that allows a AD server to get infected.

So how do you go about defining failure? It goes back to a security basic. Risk. What is the risk if failure happens w/ a technology at a certain level. This is why it is so important that decisions to purchase and implement technologies not be taken lightly. Don't make a decision based on the fact that it is from a certain vendor. Don't make a decision based solely on price. Don't make a decision based on "ease of use".

You have to know what you are protecting, what the value of it to the company is and what level of failure can each thing handle. If you don't know this then you are going to set yourself up for FOI and a new job search.

Welcome 2009

2009-01-02T10:28:00.002-05:00

It's a new year and most people have made resolutions, predictions, set goals or other such things to start the new year off on the right foot. I too have done the same, sort of. I gave up on resolutions years ago. Don't do predictions but do set goals. I also take a few minutes and look around and think about life and what I need to do or can do to make it better for myself, my family and those I come in contact with.

I've set personal goals relating to my marriage, fathering, hobbies, fitness, etc and I'm putting plans in place to make them happen.

At work I've looked at my list of projects and what needs to be done and have prioritized the projects and set dates for the other things.

I'm hoping that this year will be better than last year although I really can't complain about last year. Even with the economy tanking I'm still employed in a job that I usually enjoy. :) My family is doing well and I really can't ask for more and sure don't deserve more.

I've got one goal that I hope to have accomplished by next Monday and that is to find a new calender for my office at work. If I can do that then I'll consider the first few days of 2009 a success.

Farewell 2008

2008-12-31T17:06:00.002-05:00

I hope everyone has a great New Year. 2008 was a interesting year to say the least. Let's hope that 2009 keeps us on our toes and that it's one where we kick some bad guys butts. :)

Manageing Expectations

2008-12-18T19:17:00.006-05:00

I've been dealing with sales people most of my career in technology. When I first got started in the field I had to deliver on the promises that they made to the customer. That or try to explain why what the salesman told him didn't really mean what he thought it meant. Then I moved into a position where I had to start dealing with them as the customer. I learned early on that some would do anything to make a sale. They would say anything, talk to anyone and that the price could always get a little better. Then there are those who were up front with you and who seemed to really have your best interest at heart. They are the ones who aren't afraid to tell you that their product doesn't meet your requirements. They will tell you that they can maybe get special pricing and it isn't tied to you making a decision today. They are the ones who really seek to know your environment so that they can recommend a solution that will honestly work for you.

Alan says that the problem that exists between sales and client is that neither really takes the time to understand the other. While I think that it will be beneficial to all parties for that to happen I don't agree that the problem lies there. I must say that most of the sales people that I've dealt with have been quality sales people who are good at what they do because they do try to understand their clients needs. I also think that whereas I may not truly understand the life of a sales person I do understand that they are dealing with their own set of challenges. I understand that they have to sell if they want to eat and keep their job. How can I best help them? By managing expectations. When I talk with someone about their product I try to be upfront with them if there is not a fit. I also try to be upfront with them as to when I may be ready to make a decision.

If I'm looking at deploying a solution whether it be vulnerability management, database monitoring, AV or anything else I will start gathering information several months in advance. Why? Because I've got several projects that I'm working on and I've got to ensure that the solutions work together and not against each other. Also I may actually do a eval way ahead of time just because it works for me to do it then. What I've noticed is that some sales people take that to mean I'm ready to buy. Even if I tell them that the project is months down the road. I try to manage their expectations so that they aren't investing lots of time in something that isn't going to happen for a while. If they are smart they will step back, stay in touch and be patient. Some have actually gotten upset that I was looking that far out and when I reached out to them closer to time they wouldn't submit a quote.

I've also learned that I need to manage their expectations once I've made my choice. This is something new to me because for the first time in my career I work for a company that has a procurement department. Always in the past when I made my decision I submitted it to Management and if they approved it then the order was placed within a few days. Here things are different. I make my decision, go to Management for approval and then it goes into the abyss call procurement. Once there all sorts of things may happen and then usually it emerges on the other side with a PO attached. That process can be anywhere from a couple of weeks to months but for me it had always been 6 to 8 weeks. Based on this I told a Account Rep that we should have no problem getting a PO cut by a certain date. That was my mistake. The date came and went and the PO was no where to be seen and procurement wasn't talking. The problem is that I had gotten VERY aggressive pricing on this and the Account Rep was new with the company so when the order didn't materialize within the set time frame her boss started to question her judgement in believing my reasons for wanting such aggressive pricing. If she had been not been new then her boss probably would have just said something like "Don't be so gullible next time", but in this case it was more like "Did we really make a good choice in bringing her on?". Of course I felt terrible because all of this was based on my lack of managing expectations. I've since learned that I need to do a better job of this. Actually that is what I was trying to do with the sales person that I'm now unhappy with. Yet in this case she wants to set herself up for failure instead of allowing me to try and help her.

So, yes we could all benefit from understanding each other better but more importantly we can all benefit by being upfront with each other. If I don't want to talk or don't have a need then so be it. If I tell you "Call me later" then that's what I mean. If you tell me your product can do X then it really better be able to do it without me having to jump through hoops. If it can't do it then just say so.

How about this. I know that my blog is read by techies, managers, sales, PR, and others. If we want things to work better than take my advice be honest, manage expectations and work together. Quit putting sales people off just because you don't want to deal with them. Tell them "not now call me in X weeks" or "please don't call me, I'll call you when I'm ready". Then when we do tell sales something they will believe us and not feel like we're giving them the runaround. For those of you in sales if we can call next month then call next month. Don't be pushy, don't try to tell us that you can "help" us speed up procurement. If we tell you that there is no way to get this done by the end of the month quit pressuring us with the latest deal of the moment.

One last thing. @anton_chuvakin made a comment on twitter yesterday that went something like this "XYZ "software suite is the most powerful and comprehensive system... in existence." Some people who do marketing are stupid :-)" I replied back "I had 27 sales people tell me that about their product last week" then Dr. A replied back with "well, all 27 were repeating what 1 marketing person told them :-)" I figure that one marketing person was Rothman. :)

Let the throw down begin!

2008-12-17T18:11:00.003-05:00

Today Alan Shimel took me out to the wood shed and spanked me! So all in the spirit of good fun we're gonna go toe to toe and work this out.

My job here is to manage the security program. Part of my responsibilities are to evaluate products and make recommendations based upon the defined requirements and the ability of a product to meet those requirements. My CIO's job is to manage the entire IT organization and make sure that what we do matches up with the business requirements of the company. He does not evaluate and recommend products. If a sales persons goes to him he sends them the the appropriate department to talk to the SME.

Alan asks "But also who dropped dead and made Andy the single point of contact?"
Andy answers "My CIO made me that point of contact (although he is still living). At least until we are ready to move forward and his input is required.That does make me a gate keeper of sorts but only because that how we do things here."

Alan asks "Is Andy not only making the technical decisions but the business and financial ones as well?
Andy answers "No, I'm not making the business and financial decisions but I do have significant input into the role of security in the business. That is what Security Managers do. They are given information regarding business needs, goals and requirements and they make decisions and recommendations based upon them.

Alan asks "Is Andy the person signing the checks?"
Andy answers "Again, No. I do work within a budget and also part of my job is to ensure that we are spending our budget dollars wisely. So, that's kinda like saying what checks get signed.

Alan says "Here is what I have preached to sales people for years. It is imperative that they multi-thread into an account. Knowing the Andy's of the world is not enough to get the deal done. A good sales person should have relationships with people up and down the organization, including the ability to pick up the phone and speak to the CIO (especially if it is not some Fortune 100 type company). Does Andy really relish his role as the gatekeeper? Is it an ego thing?"
Andy replies "I understand Alan's point about having multiple levels of contact within a company because there are lots of people out there who will give you the run around instead of being honest and telling you the truth. Especially people in technology because many of them are just not good with people. I think that if you are getting the run around then going up the ladder is a fine plan, but if you have been given multiple valid reasons why this is not the time to move forward and you still try to push forward then you have issues. If I was in sales and really needed to make a sale I surely wouldn't waste my time trying to sell to a company that has (I'll say it once again) already given multiple valid reasons why this is not the time to move forward. I'd focus on a sale that I had a chance to make. Not to mention that having relationships also means that you maintain them at ALL levels. Do you really think that you are gaining anything by pushing when you have been told to wait? Is it beneficial to damage a relationship to make one sale? The security community is a small and often tight group of people. I'm amazed that almost everywhere I go I run into someone that knows someone else that I know. You make make a sale here while damaging a relationship but what about the next time we cross paths? The chances are VERY good that it will happen.

Here's a little story that recently happened to me. I was at a conference and was introduced to someone by a friend. That person happened to work for a company in Atlanta and we exchanged cards. After the conference I was contacted by that person to talk about their product. I met her for lunch along with 2 others from the company. All 3 of them had worked together along with the friend who introduced us. We're sitting in a restaurant and one of the says "Does any one know where so and so works now?" I said "Yeah, she's my vendor x rep". She had also worked with them. Then a few days later I get an email from another vendor rep who said "You remember the rep that I wanted to introduce you to from Vendor Y? Well, he told me that his wife had lunch with you the other day." She was the one from the first company. It's a small, small security world.

Alan says: "This salesperson was doing her job. She was not getting anywhere with Andy to her satisfaction and was multi-threading into the account. She could have been more up front with Andy about it, but my feeling is that anytime a security admin or manager "forbids" you from talking to other people in the organization they are overstepping their bounds and sending a message that this is not yet at the level of a real opportunity.
Andy replies: "Alan may have been reading another blog here because I can't find anywhere in there where I "forbid" her from anything. Maybe he's just drawing a conclusion. Kinda like the sales person concluded that I was only putting her off because I didn't want to bother with her or be honest with her. I also question his definition of what her job is. Her job is to sell product. That means that she finds potential clients (me), find out what my needs are, determine what her product can do to meet those needs and convince me that her solution is the best one for my needs. Her job is not to try and make a sale to someone whose job is not to manage security for the company. You don't go to the CMO to sell accounting software. If this were a small company where the CIO has more input in these decisions it would be different.

Come with me on a little journey. What if she had convinced him to buy her product? Well, that would only happen in one of a couple of ways. First, he decided to make the decision on his own not knowing what the business requirements for this product are. He has no business being CIO. Second, he comes to me and tells me that he wants it and asks for my input. I tell him we don't need it at the moment, there are more pressing projects and I haven't decided on a vendor. He still buys it. He has no business being CIO. So we now have a product that we don't currently need, may not meet all of our requirements, may not be the best fit or the best value for us and I have another piece to force into my security program.
Who wins?
Not me. I've now got another product forced on me and I am learning that my input and opinion are not really valuable to the company so why not move on.
Not my CIO. He has lost my respect and possibly my services. Now he has to find someone else to come in and learn the environment, business and everything else.
Not my company. They just spend a lot of money that wasn't necessary and may not meet their needs.
Not the sales person. She has damaged relationships with a potential customer down the road.
Not the vendor. They have now sold a product that if it doesn't do as expected or doesn't meet the business requirements will only cause the customer to have a bad taste in their mouth.
All of this could have been avoided if the sales person simply chose to wait until next year when a "real" decision could be made.

One last thing and then I'll stop.
Alan said: "I really think it is more about Andy's ego than any real threat."
Andy replies: I can assure you that my ego was the least of the things that were hurt. At least from a "who does he think he is?" perspective. I must admit that it was a little bruised because by going "over my head" he basically said "I know that Andy has already spent lots of time and effort telling me all of the reasons why this wouldn't happen this year but I think he is lying to me so I'm going to go to the CIO and try to sell him my product." Maybe I'm over reacting a little here but I did tell her why I wanted her to wait and she still thought I was giving her the run around.

How to NOT sell me security products (Part 2)

2008-12-16T19:27:00.003-05:00

This is a continuation of my earlier post. I'm adding to it for a couple of reasons. I wanted to tell more of the story than time permitted on the bus this morning and I received a pretty good comment from a former sales person looking at this from the perspective of a sales person. I'm going to post Sam's comment and then reply to it while adding more details.

Having been in that (sales) role many times, I have to say that your statement cries out "pigeonhole". In other words, a statement people would tell a salesperson in order to get them off their back, but without intention of follow up. I can't tell you how many times I've heard someone tell me something similar and never, ever follow through with their word (i.e. will talk to you after the first of the year - yeah, right). I'm just scratching the surface on this comment, though.

On top of this, it sounds to me like you're making a business decision based on a personal experience with a salesperson. That doesn't sound like the right thing to do, either. What if the company offered a great solution? You're going to pass it up because a salesperson ticked you off???

I'm not saying you are, but my experience has been that many customers lie just as much as their sales folks do. Two sides to each coin.

Sam, You make some good points and I realize that you are talking in generalities and not specifics, but I still get to reply because it's my blog. :) While I will admit that in the past I have put sales people off by telling them "we'll talk later" but I also usually tell them "You call me". That way it's clear that the ball is in their court. I may not be interested now but in a few weeks or months I may be. I always try and be honest with them and let them know if what they are selling fits any of my needs. If it doesn't then I tell them "Not now, maybe later". If I really want their product then if I don't hear from them w/i the set time period I'll reach out to them or someone else that can get me the same product.

This case was a little different. She had been pushing me to try and get this ordered before the end of the year. I had told her numerous times that I did not need her product at this time. It would be nice to have and would provide added security. It would also be easier to manage than the 2 or 3 free products that I'm currently using to do the same thing. I had also told her that even if I did want and need it right now that there was no way that I could get it through procurement in time to get end of year pricing. I explained to her that our procurement process is painfully slow and that no matter how important it was or what level of management wanted it things would not speed up to the point to have it approved by end of year. I explained that since it was not a need that I would not be able to get management sponsorship to "rush" it through. I explained that by waiting until next year I was not putting myself in a bad position. I also explained that the company would rather pay more and NOT rush than rush and make a wrong decision. I also explained that I was still evaluating other vendor offerings to meet these needs and that I had NOT made a decision as to which one I would choose. Yet she still made the decision to go to the CIO and try to tell him how much he needed this product. He didn't even know that I was evaluating products because it's not high enough on my list to let him know yet.

As for the "making a business decision based on a personal experience with a salesperson" comment you are right. I'm making the conscious decision to not do business with her based on several factors. First, I had made it clear that we were not ready to purchase a product. Second, I had given her a time to get back to me to further discuss this. Third, I had told her that talking to the CIO would produce no results because he does not evaluate and recommend products. Forth, She is extremely pushy. Fifth, She lied to the CIO and told him that I wanted the product and that we had a conference call lined up for the following day. Sixth, she pissed me off. Seventh, there are several other vendors that do the same thing just as well as her product. Now I can get passed number 6 because I've been pissed off by sales people before and still bought from them. Not to mention I've pissed off my fair share of people in the past. I have a very hard time getting past number 1-4 because I had been clear in making my needs, wishes, desires, etc known. I can't get past number 5 because the combination of 1-4 plus 5 shows that she has very little personal integrity. If she is willing to lie and go behind my back to make a sale how can I be expected to trust her in what she is telling me regarding the product, service, etc... (Lets not go into the "everyone lies" bit b/c even though any lie is not good there are limits).

How to NOT sell me security products

2008-12-16T07:48:00.002-05:00

This will be short and to the point. If you WANT to sell me your product do NOT do the following.

Call my CIO and try to convince him that he needs your product AFTER I have told you to wait until after the first of the year to talk more with ME about this!

I don't know if this sales person reads my blog or not but if you do you have absolutely no chance of selling me your product now. Not here. Not at any other company that I may work for in the future.

3rd Party Security

2008-12-15T16:51:00.004-05:00

Rebecca Herold has a post up regarding the importance of ensuring 3rd party security. This is one example of how sloppy (and sometimes even fairly good) security from a partner, client or vendor can cause you all sorts of headaches. There are lots of other reasons also to do security audits of those you give network access to. I know that lots of companies talk about doing this but I wonder how many really do. I run across lots of people who work for companies that have policies in place that state that they must do security audits before giving you access to the network. Yet many of these same people tell me that they actually DON'T do these required audits. I also run across vendors and others who tell me that they have been given access to company networks with no audit requirement at all. Occasionally they have to sign a "3rd Party Access Agreement" or some other such document.

What concerns me is that these companies are putting themselves in a bad place. They think that they are covered because policy is in place or because they ask you to sign a NDA. Neither of these will hold water if you have a problem that is caused by the 3rd party if you can't prove that you are doing your due diligence. If you have a requirement to do a 3rd party security audit then you had better do it. If you say that you require your 3rd parties to do X then you need to prove that you have verified that X is being done. We can't continue to throw out a requirement without doing our part to make sure that the requirement is being enforced.

There are lots of things that can go wrong when giving anyone access to your network; even your own users. It can be difficult enough to keep your users audited and ensure that their protections are in place and that you are doing all you can to protect your data and network from them. Then if you throw in the complication of a bunch of machines that you don't control or set requirements for it makes it even worse. That is why you really need to make sure that you are extra diligent in protecting your data from these.

The list of things that can go wrong is as long as my arm. They can bring in a system that has been infected with a virus that may be spread to your systems. Hopefully your AV is installed and up to date on all of your systems, but that isn't always the case. In some instances companies don't install AV on certain systems because of performance and compatibility issues. These systems could become infected and depending on the virus they may attempt to spread it to other systems constantly, they may become part of a bot-net that can do all sorts of nefarious things. It may be loaded with a rootkit or backdoor that gives a bad guy control of that system and then he can work his way through your network. There is also the possibility that a bad guy enters their network and uses one of their systems to gain access to your network. They could take data out of your network and lose it, give it away, sell it, use it for their own purposes. They could alter data, plant keyloggers, sniffers, AP's etc... The list goes on and on.

So therefore I repeat my premise that when dealing with 3rd parties we don't need to be as strict as we are with our users we need to be even more strict. We have to do more than use CYA with a policy or NDA. We have to verify that they are doing what we require and what they say they are doing. If not then you may find yourself on the receiving end of a legal or regulatory nightmare.

Is that MY data?

2008-12-11T16:35:00.001-05:00

Disclosure: I attended a half day seminar on e-discovery where this story was told by Randy Kahn of Kahn Consulting. It got me to thinking and some of this is reflective of some of his talk.

In early Sept 2008 United Airlines stock fell by as much as 75% because of a 6 year old article that found it's way onto Google. The article had no date attached to it and was accidentally re-posted to a newspapers web site. Over the weekend the article started turning up in searches about United Airlines. As investors and automatic investment software saw the article they started to panic and sell shares of United stock and caused the price to fall drastically. Luckily people actually started researching the information and discovered that it was old news and not relevant to present time. Fortunately the stock did rebound and regained most of the loss.

How did this happen? I can't say for sure but it sounds like someone wasn't managing their data very well. How does well managed data get mishandled like that? Obviously there is a legitimate business case for keeping old stories like this around. They are useful for research and such, but the data could have been tagged in such a way to keep something such as this from happening. It could have had restrictions placed on the way it could be used. The problem with this is that it requires technologies to make this stuff happen that unfortunately are not used by many companies. This makes data management and security a nightmare for many.

Unfortunately I don't have a low cost, easy to implement answer to this problem but it is something that needs to be addressed in your company. We all know that we can't secure what we don't know about. We can't secure the data if we don't know where it is, who is accessing it and what they are doing with it. Data has been taken too lightly for too long. It's been treated like it doesn't matter and that it's impervious to loss, misuse or any other bad thing. Sure we play the game and put in firewalls to keep bad guys out and put in a few other things inside the network and on host systems to make us all feel a little better but we aren't managing the data itself. We aren't teaching the DBA's, Server Admins, End Users and anyone else that it is important that it not be tossed around like a rag doll. We're not building the case to Upper Management that having policy with teeth is critical to keeping us safe.

We write policies and set them in their little corner to be pulled out when the auditor asks for them or when someone does something bad, but other than that we pretty much ignore them. We don't train our users on what they say and why they say it, we don't teach them how to follow them. We don't work with the business units to ensure that the policies are even effective and enforceable. We don't meet with legal, compliance and other groups to see how the policy fits into law and regulations. We don't look at how a change to one policy affects other policies and makes them more or less effective and enforceable.

I know that I'm making a wide sweeping statement with much of this and that this isn't the case for all companies. The problem is that it occurs in way too many places because companies and people are just playing the game. They aren't taking their compliance and security programs seriously. They want to check their box and move on. They aren't thinking outside the box and looking at things from a holistic perspective. In today's world where data is king we can't play games. We can't do "just enough". We can't keep thinking that security is a nuisance that we have to live with. Management has to take the lead and hire and equip the right people with the right tools and training. They have to take security seriously and they have to realize that there has to be consequences for what happens to data and the consequences have to fall on the right people and it has to have some pain associated with it or nothing will really change.

Infophysical Security

2008-11-26T17:36:00.003-05:00

Information security teams work hard to secure the data that they are responsible for. They put in perimeter protections, network protections, host protections and all sorts of devices to monitor and manage all of these devices and protections. Configurations are checked before they go into production and all changes are tested and approved. All of this hard work pays off when you look at firewall logs, IDS/IPS logs, and the reports that your SIEMs generate to show just how many attacks are blocked, dropped and stopped before they get to the goal of stealing or damaging your data.

Of course we all know that this can easily be bypassed by one unpatched system, zero day exploit, reckless admin or user or a really good hacker or social engineer. There is always something that isn't exactly as it should be and that one thing leaves you vulnerable. There is one other area that information security needs to have regular contact with and influence with. Physical Security. Physical Security are the ones who are tasked with keeping the bad guys physically away from the data. Unfortunately, many times these two disciplines don't communicate with each other and this lack of communication can ruin the well laid plans and protections that have been put into place.

CISO's and their management teams need to be proactive and take the lead in reaching out to the physical security teams at their company. They need to collaborate with each other and they need to work together to ensure that the data is protected. Often physical security teams don't realize the dangers that a person can present when they allow them to roam the halls unescorted or when they don't do their job and ensure that a person is really supposed to be there. They don't understand that a good hacker may not be able to gain physical access to the data center due to other access controls in place but if he gets a hold of a hot network jack or a unmanned system. They aren't aware of the fact that a seemingly innocent flower, stuffed animal or other item can hide wireless AP's, mini laptops, wireless cameras, etc...

This is another reason that when you are rolling out a security awareness program you need to ensure that it's not a generic one size fits all program. Different departments need to be taught different things so that they are aware of the things that are most likely to affect them. A effective security program will reach out to all lines of business and work with them to be proactive in securing the data.

Someone Please Help Me Understand

2008-11-25T20:25:00.002-05:00

A friend came to me with a delima. A company is replacing all PC's within the organization. They are looking at buying laptops, desktops and VDI terminals. They are also using this as an opportunity to ensure that they have all the security software that they need on the systems to provide the most protections. They are looking at things such as AV, DLP, Encryption, HIPS, etc... One of the guys on the team decided that they needed phone home software to help in recovery of lost or stolen devices. Actually he says that it's pretty handy software. It has the ability to do much more than just phone home. It takes inventory of all software on the machine, alerts you when new software is installed, gives you asset management capabilities, can reinstall itself if the software gets removed, and lots more. They are considering installing this on all systems because a few desktops have gone missing. When asked how many and over how long a period of time no one was able to give an answer. Yet they are willing to invest thousands of dollars in this software that will really not give them anything that they don't already have except the phone home capability. So why the big rush to buy something that isn't needed?

There are several questions that need to be asked and answered before a purchase such as this can be justified in my mind.

Just how many systems do actually go missing every year?
Are they really missing or are they just not being tracked properly as they are moved, replaced, etc?
How many systems can they afford to lose per year before they actually see any real value in this program?
Can they replace any other applications with this software? Asset tracking, System Monitoring, etc
How much of an investment in infrastructure and personnel resources will be required to manage this program.

According to my friend none of these things have been thought about enough to give an answer yet still the push is on to include this application when the systems are replaced. So I thought I'd ask you to give me answers that I can pass on to my friend. I figure that's about as useful as what he is currently getting. :)

The Sky is falling....... no wait it's not the sky.

2008-11-25T16:25:00.003-05:00

Remember my "Pay Close Attention" post a few days ago? I hope you did because obviously I didn't. At least I didn't heed my own advice. Not long ago I had a Pen Test done against my network. I got the report back, looked it over and wrote up a Management report and sent it off to Management (imagine that). I had a few actions items that I needed to address and put them on a to do list and went on with life. Granted life has been VERY busy and since none of the action items were critical they kept getting pushed aside. Well today I made a point to take action on them and fired off a few emails to the proper people to get the issues resolved. That's where the problem (little as it may be) started.

I won't go into specifics but here is the scoop. A issue was identified and the host system was finger printed. If you have ever done a Pen Test or scanned systems to determine the OS you know that it isn't 100% accurate and that is what happened here. The scan came back with it's "best guess" and since it was known that we do have that particular OS and device in use on our network the assumption was made that this was most likely what the device was. This is where I quit paying attention. The emails that I sent were based on the assumption and not the "facts" regarding the type of device. As I started to get feed back from the vendor and one of our engineers I had to do a little more research to get them the answers that they were requesting. That is when I actually paid attention to the IP address that was associated with the device and I realized that it could not be the "assumed" device. Are y'all still following this, it's confusing me.

So since I didn't pay attention at the beginning I had to start back pedaling an trying to explain how I could make such an obvious mistake. Of course Management had also been copied on emails so there was no keeping this just between those in the Network Engineer team. So what can I learn from this? PAY ATTENTION! Things aren't always as they seem. :)

Randomness

2008-11-14T13:17:00.004-05:00

I feel like I'm never going to get back into the swing of blogging again. I keep trying to do daily posts but it doesn't work. I've got a few thoughts running through my head that I wanted to throw out. Most of it is security related but not all.

First, Wednesday night we had our kickoff meeting of the Atlanta NAISG chapter. It was a success. There were about 8 of us, but that's not bad for a first meeting. Especially considering that we didn't do much advertising. Mostly word of mouth. Everyone there seemed to have a good time and seems genuinely interested in making this work. Brad Dinerman, NAISG founder, flew down from Boston to help us kick things off and give our first talk.

I was listening to a Manager Tools podcast the other day and they were talking about the importance of attitude. Attitude makes a big difference in most everything. If you have a good attitude then things usually go better. People enjoy being around you more and usually give you more respect and listen to what you have to say. It makes for a better day for you and makes for better results out of what you are trying to accomplish. It also makes other people feel good when you have a upbeat attitude. That reminded me of someone that I met last week at ISD. As I was listening to the Security Researchers Roundtable I noticed that Billy Hoffman of HP was really energetic and passionate as he spoke. It made me listen a little closer to what he had to say because of the energy that he had. After the talk I went up to meet him and there was someone else with him (no names). As I introduced myself to them and told them how much I enjoyed the talk the other person was real standoffish and just said a lame "thanks". Billy on the other hand was very appreciative of the fact that I took the time to let them know. He talked to me a few minutes about Atlanta (he went to GA. Tech) and my job. As we parted he commented on how he enjoyed meeting me. None of this was a big deal but the attitude he put out really made a difference. That is something that many of us in the IT world need to work on. We need to get past our often introverted personality and project goodness to our users and this will go a long way in changing the negative mindset that many have towards their IT department.

I was listening to The Network Security Podcast on the way into town this morning and it was a recording of a bloggers meeting that DHS Secretary Michael Chertoff held in San Francisco earlier this week. Martin asked several questions about the TSA and airport security and Mr. Chertoff made a good point about the public not always seeing what is going on behind the scenes and therefore not understanding the why and where for of decisions that are made regarding airport security. While I don't think that we are doing the best job at airport security and I do often question the value in some of what they do (and why they aren't doing some other things) his comment did make me stop and think that I don't see the big picture in airport security. I don't have insight into all the data that goes into making the decisions that are made. They may look like stupid or inappropriate decisions to me. They may look like they do nothing more than make the public think that the TSA is doing something. But there is more to it than I see. In my job as Information Security Officer for my company I often look at decisions that are made above me and wonder why. Later on as I get more info or see things unfolding I realize that the decision made more sense then I gave it credit for. It's a good idea to withhold judgment until you know all of (or at least most of) the facts.

Pay Close Attention

2008-11-11T10:45:00.003-05:00

Paying close attention to life can save us all a lot of headaches and unnecessary grief. This applies to our lives as information security professionals as well. We need to make sure that we pay close attention to what we are doing. Whether it's monitor logs, configuring devices, reviewing configs or RFP's, writing policy or procedures, etc... If we aren't careful and diligent in what we do we will make a small (hopefully it's small) mistake that may come back to bite us.

We also need to be careful of the message that we give to our customers and users. We need to ensure that we are clear in how we present the message and that it is in line with the business requirements. We need to make sure that we are looking for answers to solve a problem and not just saying "NO". How we communicate our security plans has to be in a way that the user will understand and that will make them want to work with us.

What made me think of this? This picture tells a story that is very different from the one that was trying to be conveyed. If Mom and Dad had paid attention to what little Suzie was drawing for her class project it just could have saved them lots and lots of embarrassment.

What little Suzie was trying to convey was that her Mom worked for a Hardware store and was selling a shovel to a customer.

Atlanta NAISG is Wednesday Night

2008-11-11T06:29:00.003-05:00

Just a reminder to everyone in the Atlanta area that Wednesday November 12, 2008 is the date of the inaugural meeting of the NAISG chapter. We are meeting at 7:00 PM in Alpharetta, GA at 3030 Royal Blvd. South, Suite 220, Alpheretta, GA 30022. This is the office of Upgrade IT Consulting Services who has graciously allowed us to use their facility for our kick-off meeting. Pizza and drinks will be provided. The program will be given by the Founder and President of NAISG, Brad Dinerman. He will be speaking on "Employee Monitoring and Surveillance" You can read more about the meeting at the Atlanta chapter page of the NAISG web site.

Happy Veterans Day!

2008-11-11T05:58:00.004-05:00

Today is Veterans Day in the US. A day when we honor all of those who have served in the Armed Forces. A day to stop and remember all the sacrifices made and to remember that our Veterans are the ones that have given their all to protect our freedoms.

I want to personally say a big THANK YOU to all of you who have served.

Last week when I was at Midway Airport in Chicago waiting for my flight home from ISD I spent several minutes viewing the display that they have set up to honor all those who fought in the Battle of Midway in World War II. I have to admit that it tugs at my heart strings to think about all that has been sacrificed by those who have fought for our freedoms and rights.

So today (actually doing this every day is a good idea) if/when you see a member of our military or a veterans make sure to tell them Thanks and if you get a chance buy them a cup of coffee.

ISD Wrap-Up

2008-11-07T15:59:00.000-05:00

I had planned on doing a Day One and Day Two post but that didn't happen so I'm gonna do a all in one summary. Things started on Tuesday when I met up with Chris Hoff in the Hotel fitness center for a workout. After that was over I hooked up with Adrian Lane, Adam Dodge and David Mortman for dinner. After that there was a informal meet-up back at the hotel with some of the Tech Target team.

Things really got going on Wednesday morning. The day started off with a talk by Kevin Mandia talking about Incident response. He shared some stories about cases that he had worked on and talked about trends in what he has been seeing and where he thought it might go. Unfortunately they didn't have paper for us and I didn't bring any so I was unable to take notes to give more detail.

Next up was the ear bleeding "4 Horsemen of the Virtual Apocalypse" talk by Chris Hoff. Why do I call it ear bleeding? Because he had a lot of info to cram into a 45 minute talk. Chris is the man when it comes to virtualization and security (or the lack there of). Unfortunately even though he talked fast he still didn't get it all in but he has the slides and notes available for download. I recommend getting it if you want to learn more about virtualization and security.

After that I had a hard choice. David Mortman and Mike Rothman were both speaking at the same time. I decided to listen to Mort's talk on Web 2.0 in the enterprise. He talked about how it's here whether we like it or not and that as consumers of it we have to demand that the vendors/creators do it securely. He also went over the importance of secure code delivery across the board.

After lunch there was a Panel Discussion from this years winners of Tech Targets Security 7. They break the world up into 7 verticals and choose someone from each vertical who has made significant contribution to the world of information security during the last year or so. This years winners are Bill Boni, Mark Burnette, Michael Mucha, Marc Sokol, Eugene Spafford, Martin Valloud and Mark Weatherford.

Next we were treated to one of Joel Snyder's informative and entertaining talks on Security Agility. Joel spoke about the need for IT and Security to be agile and why it is important. Joel's mantra is that it's better to be innovative than efficient. This goes against a lot of what is preached by many others. Joel believes that when we are innovative then we are agile and are better prepared to face the challenges that we come up against daily. Not only that but by being agile we can stay ahead of the curve and when business units come to us with a need or problem we are better prepared to help them.

Day two was a little slow (or maybe it was me) and by far the highlight was the Security Researchers Panel that included Thomas Ptacek, Billy Hoffman, Dave Aitel and Alexander Sotirov. They talked about SDLC, attacks, breaches and such. It was refreshing to hear guys of this caliber giving their insights into what was going on and possibly where we were headed. This panel was actually my favorite session of the whole conference.

I'll stop here. It's been a long post already and I've probably lost most of you by now.

TSA strikes again

2008-11-04T16:38:00.002-05:00

I left Atlanta this morning to fly to Chicago for ISD. Last night as I was packing my bag and going through my laptop backpack to ensure that I didn't have any "contraband" that would raise the ire of a TSA agent. I had a Leatherman that I took out. Removed a USB drive that had a pen knife in it. Made sure not to pack my Cross Fountain Pen because there is no way in the world that I would throw it away if they told me I couldn't take it on the plane. I was careful to pack on liquids that were less than 3 ounces and packed them all in one 1 quart clear plastic bag.

As I went through security at the Atlanta airport all went well as my bags passed through the x-ray scanner and I walked through the metal detector. I grabbed my bag and other stuff and put it all back where it belongs and went on my merry way to the gate. The flight went well and I arrived in Chicago on time. As I was riding the train from the airport to the hotel all of a sudden I remembered that I had another knife in my laptop bag that I didn't remember taking out. It's a Buck 3" straight blade boot knife (don't ask why I carry it). I opened up the compartment that I keep it in and sure enough there it was. How the TSA missed it I'm not really sure. Now I'm faced with the delima of what to do with it. Do I take the chance that I can get it on the flight back to Atlanta? If they catch it what happens then? Do they just give me the option to give it up and go on my merry way or do the strip search me and put my name on the no fly list? Not real sure I'm willing to take that chance. Maybe I'll mail it to myself before I leave here.

Help a Hacker

2008-11-04T05:33:00.002-05:00

A year or so ago I became a fan of the work that Johnny Long was doing. Not only his Google Hacking, No Tech Hacking, and other cool things, but also his Hackers for Charity work. Back in April I had the pleasure of seeing Johnny give his No Tech Hacking talk and I meet him after the talk. We spend a few minutes talking about hackers for charity. At that time I encouraged all of you to check out the hackersforcharity.org site and do what you could to help with this endeavor. Today I'm renewing that call to action. There are a several things that you can do that are very easy, enjoyable and even free (not all are free). You can buy the book No Tech Hacking by clicking to the Amazon site directly from Johnny's site. When you do this all the proceeds go directly to Hackers for Charity. You can buy a "I Hack Charities" vinyl label for you laptop from here. Again all the proceeds go to hackers for charity. You can donate time, money or equipment to the cause. If you blog or podcast tell your readers and/or listeners about the work that is going on at Hackers for Charity.

Now there is something new that you can do. Peter Giannoulis, founder of The Academy web site, is offering to donate $1 for every new member that joins www.theacademy.ca during the month of November. So not only do you get to make a charitable donation that costs you nothing but you also become a member of a very cool site that is aimed at making your job as a information security practitioner easier.

So I encourage all of you to take a look at the work that hackers for charity is doing and think about how you can help out and then do what you can.

Identity Theft knows no age

2008-10-28T23:13:00.000-04:00

WOW! There has got to be a better way. My friend Mort has started a new blog with the Identity Protection company Debix. Today he has a post about a study that was done looking into identity theft and children. Yes, I said children. I'm talking people 17 years old and younger. I'm talking people who can't legally enter into a contract and therefore can't legally have credit. I'm talking boys and girls, little children, underage minors. I'm talking stupidity!

The numbers and statistics are frustrating and scary. They are also very irritating to me. Why? Because there is NO (repeat NO) reason for someone 17 or younger to have their identity stolen and to have credit opened in their name. As advanced as we are technologically there is no reason for this to happen. It's utterly ridiculous that we have let things get to the point where banks and other financial institutions have not put processes in place to verify the information required to get credit opened in ~~your~~ a name. Simple steps and checks could be put in place to verify whether or not the owner of a SSN is 5, 15 or 55 years old.

As irritating as the data is there is also some good tips that we all need to follow, especially for our kids. Check out the blog to learn lots of good things about protecting your, and your kids, identity.

CSI Discount Code

2008-10-28T06:58:00.003-04:00

Interested in attending CSI 2008 this year? Don't have the budget to pay full price? Well if you're interested in a 55% discount I can help you out. I have 2 discount codes that I can give if you are interested. Drop me a message and I'll get them to you.

Too patch or not to patch

2008-10-23T17:36:00.003-04:00

This morning I slept through my alarm. I woke up at 7:20 am and realized that there was no way that I'd make the last bus into town since it leaves at 7:35 am. That meant that I had to drive the 30 miles to the office. I wasn't happy. Normally I would have declared it a work from the coffee shop day but I had an audit meeting and a couple of other things on the calendar that I needed to take care of. It's now 11:30 pm and I'm still at the office and I'm glad that I didn't make the bus into town. I'd really be stuck here all night. Actually that may still happen.

After jumping into the shower and getting dressed I headed to a coffee shop to get some coffee and wait for traffic to lessen before making the drive into town. I fired up my laptop and started checking my RSS feeds and email. One of the first things I see is that Microsoft has a pre-release announcement of a out-of-cycle patch that they are releasing today. Once Microsoft released info and I thought about it I realized that this has the potential to be bad news. I remember Blaster, SQL Slammer and Nimda all too well.

We called a meeting to discuss the issue and determine what our approach to this would be. The management team is made up of former network engineers who lived through Nimda when it hit the company a few years back. As soon as the word "worm" was mentioned they got that far away look in their eyes. You know the one. It's the same look that you get when someone punches you in the gut. We discussed the pros and cons. We talked about what is the likelihood that we would actually get hit with anything. We talked about the potential impact if we did get hit. Like most companies we live and die by network activity. Due to the nature of our business we are in a little bit of a unique position because if something got loose on our network it could put people in physical danger as well as do damage to the business itself.

Needless to say the decision was made to start patching immediately. We've been at it for several hours now and still have a ways to go. We had to convince applications that this needed to be done. We had to put into place our emergency response team (OK, we don't have a real one but it sounds good). We had to get management buy in. Some would say that we are over reacting but since there has been confirmed reports of active exploits and Immunity Security has released an exploit for their tool and I just read that supposedly there is a new worm in the wild I think a little paranoia is good for the soul.